Password Evaluator
Pwcheck.pl Instructions

Overview

This evaluator was developed at a time when passwords of a modest length (6 to 10) characters with a lot of character diversity (the full 95 typeable ASCII character set) were generally regarded as the best way to make good passwords. The defauls were set to fail any password that made any of the well known mistakes that result in easily cracked passwords in such an environment.

When I recalculated the password cracking time table in 2007 I significantly underestimated the advance in compututing power. When I recaculated it on May 24, 2012, it was a rude awakening. When faced with a single computer as suggested by the table, 8 character passwords don't look bad and 10 look secure. Except that  .  .  .

The whole cracking environment has changed. The cracking tools are fully network ready (can use CPUs from other computers) and have sophisticated new developments not even hinted at in 2007. The replacement of single core with multi core computers has made huge numbers of fast computers available in poorly defended home and small business environments. Your skilled neighborhood cracker may have 10 to 1000 or so computers at his disposal. Organized crime has become part of the cracking environment. Opponents with computing power equal to a thousand to a million times a fast desktop are now plausible.

A good 8 character password can go in a few minutes to brute force and a 10 character password in less than a month. Now a 12 character password starts to look like the minimum length that can provide any safety. Mark Burnett has pretty much convinced me it's time to seriously consider using 15 character and longer passwords.

I need to upgrade my paswords on pretty much every system I use. At least none are shared between systems and all were creatated by my password generator so none are horrible, they just are not long enough to stand up to today's computers with their ability to easily crack 8 and 9 character passwords. By the time I'm done, all will be 12 characters or longer, unless I decide to go with all 15 character and longer passwords.

I've spent a fair amount of time reworking the Password Evaluator. It's new default minimum length is a 15 character password. But when passwords becomes this long a lot changes. One thing you still do not want to do is use one long dictionary word as the basis for your password with a couple character substitions and 2 to 4 characters at the ends. Other things, things that make it easy to remember and or type, become OK. Four words? There is no way a cracker can go through all combinations of four words, especially when arbitrary punctuation, symbols or numbers separate them. Lots of the same character, alphabetic and keyboard sequences, repeated patterns? All are pretty much OK. Just DO NOT TELL ANYONE HOW YOU MAKE YOUR PASSWORDS.

The default settings have mostly been changed to allow you to do things in long passwords that are too dangerous in short ones. If you want to test short passwords, don't just change the minimum password length. Select the original defaults for 6 character passwords. You will see that nearly all settings are quite different. If you want to test strong conventional passwords from 12 to 14 characters, select the 12 character password settings. Again most settings are different, between the 6 and 15 character password settings, but closer to the 6. A 15 character password is almost a million times stronger than a 12. The settings are obviously user changeable, but I know how the evaluator works, and I've tried to make settings as relaxed as is appropriate to the password length but will still mostly warn you when you are doing something that is likely to give a cracker an exploitable advantage.

Password Evaluator is designed to examine passwords and tentative passwords to look for dictionary words and patterns that a password cracking tool might exploit. It looks for reversed, rotated, keyboard shifted, truncated, dropped letters, substituted characters and other variations on dictionary words both singly and in many combinations. It looks for too many of a single character, keyboard and ASCII sequences, a character repeated too many times without different intervening characters and character patterns that repeat. It looks for phone numbers, dates and social security numbers.

The intent is to find any password that could be found in a dictionary or electronic word list, as well as any plausible programmatic variation of such words, including combinations of two or more words, and combinations of words with patterns that might be generated from character arrays representing the ASCII collating sequence or the keys on a standard keyboard.

It's still a really bad idea to have one long word form the basis of a password. It makes no practical difference how many transformations you apply or if you add a few characters to the front or back. These are exactly the kinds of changes that cracking tools were desinged to find. Today a desktop computer can test an English unabridged dictionary with a million variations per word in under 3 hours. Two words separated by a character are only a little better. A few more non letter characters in the front, middle and back will certainly help. What's interesting is that as you go to three words, the words no longer help the cracker. The number of combintations begins to work against the cracker, especially if one of the words is a medium length word (7 - 9 characters). Of course you need to avoid really stupid combinations like iloveyou, which is technically 3 words but only 8 letters and just misses making the top 100 most used passwords. Probably every variation you could think of trying to make to those 3 words already has been programmed by many crackers. Four wourds makes the numbers of combinations astronomical. If adding some non letters between the words pushes the length over 15, and you've avoided any well known phrase, you are getting into a seriously strong password.

Any pattern that can be described, or any word that can be varied in a manner that can be described, and any combination of these, are more likely to produce passwords in actual use than a brute force method. Thus, password cracking tools are likely to acquire the capabilities to manufacture large subsets of what have traditionally been thought of as good passwords.

Password evaluator in a web form is purely advisory. Users are free to disregard errors as well as warnings, though password evaluator will not display length and strength for any password with one or more "error" conditions. If a user believes the minimum password requirements are too stringent, there are numerous configuration options that will allow them to be relaxed. Shortening the minumum password length, lengthening the minimum or maximum dictionary word lengths, increasing the maximum word length ratio, increasing the allowed number of any maximum character or pattern type, not checking for specific password types, and not checking for words across non letters, will all loosen conditions that generate errors.

With the original settings for 6 character passwords, a password with a length over 10, and a strength over 7 (no errors), should not be easily cracked with today's (2012) cracking tools using default rules and an unabridged dictionary available online. Note the caveats: default rules and online dictionaries. Serious crackers won't be using default rules and dictionaries sold with cracking tools are likely more complete than the public domain unabridged dictionaries that are readily available and very old. This is the minimum for a "strong" password. The last tables I calculated are well over a year old (another doubling of computer speeds). The tables are based on assumptions and estimates that cannot be verified. 12 characters with a strength of 10 is much safer. I'm seriously thinking about 14 or 15 character passwords for all new passwords. 15 characters or more should allow for more relaxed rules, but I'm old school and find it hard to create passwors that do not use all character types: upper and lower case, digits, and symbols or punctuation.

Password evaluator includes a significant list of common names as well as lists of common passwords. It does not include words drawn from lists related to popular culture or other specialty areas. Thus it will likely miss passwords based on sports, contemporary musical groups and movies, slang, brand names, and other terms in common use today, but not readily available in existing online word lists. It would be very useful to have all of the following for the past 50 to 100 years: singers and bands that released commercial recordings; movie and TV titles plus all actors; makes and models of cars; brand names and products sold in supermarkets, department stores and drugstores; every player from major league sports and all olympic medalists and podium finishers in international sports. I've probably missed several lists. Somebody has most of these or at least large parts of them, but no one is giving them away free online, that I've seen.

Comprehensive lists of these and other popular culture items would likely crack many of the passords that have so far remained uncracked. We know people prefer to use the names of people and things that they relate to as the basis for most known passwords. To the best of my knowledge none of these lists are readily available in anything close to complete lists. It only makes sense that a large portion of uncracked passwords are the names of people and things that simply do not appear in an unabridged dictionary or existing cracking dictionaries. A small percent of users do use strong passwords so these also account for a portion of those passwords that remain uncracked.

Loosening the conditions that cause errors to be reported will not affect the strength calculation. This is based on password length and character diversity.

When I wrote the evaluator more than a decade ago I thought a strength of 2 was the beginning of reasonable resistance to brute force attacks. Today (2012) I'd say anything under 7 should be for unimportant throwaway accounts. The strength ratings are intended solely as relative strength ratings. From 1 and higher, each increase represents a ten times greater resistance to brute force attacks than the preceding. There are no fractional ratings so there is no 5.99 or 11.01. A 9 is more than 10 times stronger than a 7 and less than 1000 times stronger; on average a 9 should be about 100 times stronger than a 7. This arbitrary scale seems appropriate, as the number of CPU cycles necessary to crack a password with brute force, jumps significantly with each additional character and each additional character type.

It's worth noting that a "good" 8 character password is likely to get a strength of 3. Against a single fast desktop some may consider this adequate. It takes almost 25 days to do all 8 charcter passwords. In practice 2 weeks is pretty likely for any specific password. If a cracker was using his own PC to do this, that would require some patience. If he had a handfull of compromised computers working on this, it's quite different. He'd start them running and check them periodically. By the end of the first week he'd have all dictionary words and pretty much every concievable transformation, plus all 8 character passwords. If the opponents targeting a system where you have a password are Russian mafia, who may have a fast network of computers (including many compromised systems), 7 hours does not look very good.

When talking about length and strength, nearly everyone considers four character groups: lower case letter, upper case letters, digits and symbols. To calculate password strength, I've taken a somewhat different approach. I've counted upper and and lower case consonants and vowels separately. I do this because nearly all password cracking tools recognize these as different character groups and there is nothing to stop a cracker from focusing on vowels or consonants. Any password that has either case consonant and the other case vowel gets the full 52 character count. Mixed case vowels are counted as twice the 10 characters these represent; it's a set of characters no one is likely to look for. The ten digits do count for 10 and are vastly more likely to be looked for than mixed case vowels with no consonants. It makes no sense because there is no evidence to suggest anyone makes passwords with only vowels. Mixed case consonants, on the other hand get no bump; they already count for 42 which is not far from 52. There is good reason to look for consonants only; it's well known this is one of the ways some people make passwords. I'd guess anyone reading this can tell what the following words are: psswrd, cnt, cnsnnt, dctnry. I'd give 52 for mixed vowels only before giving 52 for mixed case consonants only. If there are only a few letters in a password, mixed case consonants with either case vowel is probably marginally stronger than any combination except both mixed case vowels and consonants.

There is no one or right way to calculate password strength because every good password cracker is likely to take a somewhat different approach. Each different approach will crack different passwords at different speeds and most different approach will likely miss some different passwords. To give an honest strength rating to passwords, I have to apply my knowledge of cracking techniques to to the likelihood of what crackers will do first and are most likely to do or not do.

For this reason I also divide the symbols into three groups: the top of the keyboard (!@#$%^&-_=+); punctuation ( ;:'",./?) which includes the space; programming symbols (`~()[]{}<>|). Any password using two symbols from any two groups gets credit for all 32 symbols. When explaining good passwords to any one without a good technical background, it's hard enough to explain the need for symbols in passwords, let alone why some symbols may be better or worse than other. You could argue all day about the groups I chose and which symobls I put in each group. All I can say is that I made what I believe to be the best selection.

The fact is that not all symbols are equal when it comes to cracking passwords and I believe that good crackers prioritize this group more than any other, and may even completely exclude characters from it. How often does anyone use the tilde ("~")? Not only is it rarely used, it's shifted and an extreme reach for the small finger of most peoples weaker hand. It's hard to type. It's also the last last character in the ASCII collating sequence after {, |, }. These are also shifted and the last two, the pipe and right curly brace are pretty good stretches for the right little finger. If I were to use a brute force attack, these four would be the last characters I'd use; I might even consider not using them. Not one of them ever appears in a list of the 10,000 most common passwords. That makes these four characters great characters with which to start a strong password. Actually doing anything that 99% of computer users don't do with passwords, will make for stonger passwords; they may not be good passwords for you, if you have trouble typing or remembering them.

Except for systems that require an email address as an account name and the computers I own where I use the same user name, all of my user or account names and all my passwords are different. All of my passwords have been generated by my password generator using non default patterns which I change from time to time, and were believed to be uncrackable at the time I selected them. I don't believe in routine or frequent changes of uncrackable passwords. Passwords should be changed if there is any reason to believe either the system they are on or the account has been compromised.

In 2012 I got a rude surprise when I did some research into current password crackers and recalculated my password cracking time tables. I did not feel a sense of urgency; all my passwords were strong by normal standards. But I knew most of my passwords needed to be upgraded. I've been doing so since then and all changed passwords were at least 12 characters with a strength rating of at least 10. At the end of 2013 I'm quite seriously thinking about a minimum length of 14 and strength of 15 or higher.

15 is the default minimum length in the password evaluator set in 2012. Associated with the length increase are greatly relaxed standards for repeated characters and various common character sequences (keyboard, consecutive letters and or numbers, etc.). NEVER shorten the minimum password length with the new defaults; ALWAYS select the 6 or 12 character password settings with the links provided. Shortening the minimum password length, while leaving the other defaults from the mimimum 15 character length, renders the Password Evaluator unable to find any dictionary word shorter than 8 characters, making the results useless with ordinary length passwords. It also cannot find dangerous keyboard and ASCII sequences, repeated characters, or repeated character groups. I suggest everyone consider the minimum lengths and strengths I've discussed here, at least for any accounts that contain sensitive information or are important like bank and credit card web sites.

Check Passwords for Systems Using LM Hashes
(Pre Vista Windows and Other Systems)

If you are using Windows Vista or later you do not need to check this option, UNLESS you have deliberately enabled LM (LAN manager) hashes. If you are using any version of Windows prior to Vista you DO need to check this option, UNLESS the Windows version is 2000 SP 2 or later, and you have followed one of the procedures descirbed on this Microsoft Support page to disable LM hashes. If for some reason you are still using any version of Windows older than 2000 SP 2, you need to check this option. ALSO, some systems that are not Windows, including Macs and Unix variants with SAMBA installed, have used LM hashes to take advantage of shared Windows printers and folders, or to make them available. Any system still using LM hashes needs to check this option.

If you use Windows you should read this page to understand the weakness of Windows password storage and why you need passwords 15 characters or longer that have never been seen by you or anyone else before. You may also create uncrackable passwords by using an unprintable character in your password. These may be entered in various ways on different systems. See how.

Because of the unusual way in which LM hashes are created, most of the usual recommendations for forming good passwords don't apply. If this option is checked, Password Evaluator, will adjust to LM hash peculiarities. First the password is split into two 7 character pieces which are checked separately. Case is ignored and maximum dictionary word length is set to 2.

With 7 character passwords, even a three character word at the begining of a password will greatly simplify a cracking tool's task. Begining an LM hash with a three character word, effectively reduces the problem to a 4 character brute force attack which many cracking tools will handle easily.

The highest possible LM hash strength is 4 and this will include at least one Alt code character. It will also include two symbols or punctuation from different parts of the keyboard and a consonant, vowel, and digit. NOTE: Entering Alt code characters will create passwords that are not crackable and much stronger than the listed strength. Because no cracking tool uses these characters, and there are so many of them, these passwords will never be cracked until the cracking tools and assumptions are changed.

The total strength of an LM hash password will be the strength of the stronger half. For most purposes the other piece can be ignored; it's not needed and does not matter even it contains errors. Two pieces rated 4 will be somewhat stronger than one piece but this is not significant on an exponential scale.

Minumum Password Length

Sets the minumum number of characters allowed in a password. Any password less than this length will generate an error message.

Minumum Dictionary Word Length

Sets the minimum number of characters that Password Evaluator treats as a word. When checking pure alphabetic passwords, it may be advantageous to set this to 4 or higher. Password evaluator treats any character sequence that is not fully contained within another as a word, including reversed words. Any pronounceable letter sequence has a good chance of containing multiple words though there may not be any practical programmatic way to put these together. For example, "quirehc" contains quire and reversed che. The longer a pronounceable alphabetic sequence becomes, the more likely there will be multiple words contained within it. It's also less likely there will be a general description of the method by which the password was created, i.e., an algorithm or specific set of steps to create similar passwords. If the rule set requires specific knowledge of the password, it is meaningless, as the sole purpose of cracking is to find unknown passwords that cannot be predicted from the hashes used to store them. Without such an algorithm, the cracking tools cannot program a method for creating such a password.

Raising the minumum word length to 4 significantly reduces the number of run together and overlapping words in long alpha only sequences. For passwords less than 11 characters it is a bad idea to increase the minimum over three as this prevents Password Evaluator from catching fairly obvious passwords such as "dog8cat". Not only is it "clever" but it consists of two short, very common words, separated by a non letter. This may be the simplest and most productive custom dictionary to program after the standard dictionary transformations. Without a large supply of uncracked passwords to test this on, there is no way to know.

With long passwords things are very different. The number of permutations of four words is astronomical. There is no way a cracker can reasonably put them all together. Even trying to focus on only the most common words results in huge lists. A password which happens to have one each, 3, 4, 5 and 6 character words is already 18 characters. Add digits and or punctuation characters to separate them and you are at 21. Brute force has no chance and it is difficult if not impossible to think of a programatic way to attack such a password.

Just using the very small, about 45,000 words, Linux dictionary there are 3^13124 three word arrangements and 4^13124 four word arrangements arrangements of 3, 4, 5, and 6 character words. How big are these? Try 5.02e+2946 and 2.72e+7901 respectively. By comparison there are only 5.4e+23 twelve character passwords from the 95 character keyboard. The English language does not have the vocabulary to easily describe this difference in scale. The best I can come up with it's a trillion times a trillion more than 656 times (or > 656 trillions in a row). There is an simpler way. The number of 4 word passwords is more than 7,867 orders magnitude larger than the number of 12 character passwords, but this is rather incomprehensible.

If they had smooth surfaces and the Earth and the Sun were exactly 93 million miles apart and this distance represented 2.72e+7901, or the size of the four word password space, how far into the atmosphere would 12 character passwords get you? The answer is they don't. If you convert miles into microns or micrometers (or 1/1000 of a millimeter) you get a distance of 1.5e+17 microns between the Earth and the Sun. When dealing with huge or tiny numbers and you don't care about precision, you can discard the leading numbers and multiply or divide by adding or subtracting exponents. We already determined the comparative difference is more than 7,867 orders of magnitude. If we divide the Earth to Sun distance in microns by this we find the distance the 12 letter passwords gets us is about 1e-7850 microns. That is 0.1 with 7849 zeros between the decimal point and the "1". I don't think there is any unit of measurment small enough to translate this into, because by comparison the smallest known sub atomic particles are unimaginably large. At this scale the concept of surface is meaningless. There is nothing to get off of; we go nowhere.

There are huge number (2.1e+3718) of 24 character passwords. To make these easier to read and probably type, we could always put the easy to type semi-colon (because it's the only punctuation character directly under a home key finger) between each word. Or on most modern systems we could simply use a space. Always doing either does not make more passwords but it does lengthen all by three characters bringing the all 3 letter word pass phrases up to 15 characters. There is no way a cracker can deal with this password space. Unless the user does something stupid, like pick a series of words that are a common phrase or part of a common phrase these pass phrases are simply not crackable, and probably never will be.

The new password defaults are set up to test passwords 15 characters and up. To test shorter passwords DO NOT just change the minimum password length. Instead click on originial defaults for 6 to 12 character passwords or use suggested defaults for 12 to 14 character passwords. The new default settings will not work with shorter passwords. In particular no dictionary words can be found. This is the primary benefit to using the evaluator and it is simply a waste of time to test short passwords with the default settings. Also, the settings that made sense with short passwords will not work with long passwords that deliberately contain multiple words, or patterns, character sequences, or repetetive characters to make them easy to remember.

Setting the Minimum Dictionary Word Length over the longest word in a password disables dictionary checking for that password. Setting the Minimum Dictionary Word Length above 10 disables dictionary checking for most practical purposes. Setting it to 99 or any length longer than any password you plan to enter disables all dictionary testing. If this is done, none of the maximum word related settings need to be changed. Disabling dictionary checking largely defeats the purpose of using the Password Evaluator.

Maximum Dictionary Word Length

Sets an upper length limit on the longest dictionary word allowed in any password. Any dictionary word that is longer than this length, after non letters have been removed, will trigger an error. If the word is truncated, the length of the word after it is completed to match a dictionary word is used. Generally the maximum word length ratio is more important. The maximum word length can be used to set an absolute limit, but why? A word that is 6 characters in a 10 character password is more useful to a cracker than an 18 character word in a 30 character password. There is no way to try the word separately. Which of the 8 to 9 hundred 18 character words are you using? While there are about 20 times more 6 character words, the purmutations of 12 spaces with 24 arrangmets and 95 characters make the 4 spaces, with 8 arrangements and 95 characters look infintesimal (like more than 10^100 times the number of permuctations of the end characters). All this assumes you know you are dealing with a password exactly 30 characters long containing one word exactly 18 characters long. If the source of the intelligence is reliable, how could it know the exact password length and word length, but have no clue as to the location? The longer the password, the less importat one long word of the same ratio between word and password length, becomes.

Maximum Dictionary Words

Limits the maximum number of dictionary words allowed in a password. The default is 1. The allowed word or words must be no longer than the maximum dictionary word length or the maximum length compared to the maximum dictionary word ratio. This allows dictionary words or transformations of them that are a limited part of a password. It's very hard to create long pronounceable alphabetic sequences without getting any short words or any possible variation of a word in them. Setting maximum dictionary words to 2 will prevent Password Evaluator from finding relatively obvious passwords like "cat8rat" which it was expressly designed for.

As password length increases to the point 3 or more short words will fit, plus some additional characters, then it starts to make sense to allow multiple words. Passwords long enoungh to hold 4 or more words and a few additional characters appear to be uncrackable provided well known pharases and similar mistakes are not made. The number of possible 4 word passwords is so much larger than strong 12 character passwords that it's difficult to find analogies to show the difference.

Setting this to 0 will prevent any word or identified transformation of a word from being accepted in any password. A word is any character sequence equal to or longer than the minimum dictionary word length that appears in the dictionary used for checking. Straight lookups and reversed word lookups are always performed. Some of the tests cannot be performed or make no sense on short character strings so the Password Evaluator contains some hard coded lower limits related to word length.

Maximum Word Length Ratio

Maximum word length ratio may be the most important single setting. The default is .66 for passwords of all lengths. It's the only setting that is the same for all password lengths. This results in the rejection of any password where a dictionary word or variation on a dictionary word is two thirds or more of the total length. The setting .67 is much weaker. for short passwords, and I personally would be uncomfortable for settings over .7 for even very long passwords. The default .66 limits 6 character passwords to one three letter word, 7 character passwords to a four letter word and 8 and 9 character passwords to five character words. Six, seven and eight character passwords must have at least three characters that are not part of a dictionary word. Nine character passwords need at least four non word characters. .66 will allow cat824 or batxzt but not boat11. .67 would allow boat11. There is no question that cat824 is a weak password but that is reflected by its 0 strength rating.

Having to find three non word characters adds a significant computational overhead. If only letters are being examined the work load is increased by a factor of 17,565. If all 95 printable characters are being checked, the factor is 857,375. Depending on assumptions regarding character sets and word lengths used "cat824" is somewhat to many times stronger than "cat8rat". "cat8rat" is very much at the easy end of passwords made from two short words separated by a non letter based both on word frequency and password length.

If the intent is to use only strong passwords, then the minimum length should probably be set to 12 and only passwords rated around 12 or higher considered.If you have obtained a strength reading for a very long password by disabling several to all of the tests, the strength rating you have obtained is highly suspect. The full lowercase alphabet, i.e., a 26 character password, will give you a strength reading of 26. Don't believe it. As more people begin to use long passwords, the crackers will start to add the trivial variations of these to their dictionaries. On the other hand, if you use the full alphabet, but upper case a few arbirary letters or switch the order of a couple character pairs or substitute a couple lookalike symbols, it very quickly becomes a very different game, with the advatage having swung back to you, at least for about the next decade or so. If you did all three, it is very difficult to see how the password could be cracked for the foreseeable future.

Maximum Character Occurrences

Sets an upper limit on how many times a single character can appear in a password. If the number is 1 or more it's treated as a count of how many times any single character may appear in a password. If it's less than 1, then the character cannot comprise a larger portion of the password than the percent represented by the entered value. The default is 0.8 for 15 character passwords which allows any single character to be up to but no more than 80% of the characters in a password. 0.4 is suggested for 6 characher passwords, which is 2 in a six character password, 3 in seven, eight and nine character passwords and 4 in ten, and eleven character passwords. 0.5 is suggested for 12 to 14 character passwords. A 0 disables this check.

Minimum Duplicate or Mirrorred Sequence Length

Most sequences discussed here are sequences from the ASCII collating sequence or the keyboard. Here we are talking about any sequence of "unrelated" letters that are duplicated or mirrored. Most often it means a word or part of a word, though it could be aything. This can also be less than 1, in which case it is the integer portion, obtained by multiplying the password length by this number. The default for 15 character passwords is 0.6, and since you cannot duplicate something in a space that is more than half the length of the space, it is disregarded in 15 character passwords. 3 characters are suggested for 6 to 11 character passwords and 4 characters for 12 to 14 character passwords. Any value greater than 0.5 and less than 1 disables this check.

Maximum Sequence Characters

Sets an upper limit on how many consecutive characters from the ASCII collating series or keyboard sequences are allowed. Sequences are in either direction so "345" is a sequence as is "cba". Keyboard sequences are physical keys regardless of shift state so "6&8" is a sequence as is ">,M" and "*&6". The maximum sequence characters also applies to alternate character sequences so that "*j1a2c3K?" would be disallowed as would "1b^o5a$T!" ("^5$" is a reverse alternate character keyboard sequence). This can also be less than 1, in which case it is the integer portion, obtained by multiplying the password length by this number.

The default is 0.5 for 15 character passwords which is 7 characters for 15 character passwords and 8 characters for 16 character passwords. 2 character sequences are suggested for 6 to 12 character passwords and 3 character sequences for 12 to 14 character passwords. A 0 disables this check.

Maximum Repeat Characters

Sets an upper limit as to how many times the same character may repeat without a different intervening character. A 1 disallows repeated characters. A 0 has the effect of disabling repeat checking.

Maximum 2 Character Pattern Repeats

Sets an upper limit on how many times the same two consecutive characters can appear in a password; this applies to any and all characters regardless of where they appear in the ASCII collating sequence or the keyboard. I this were set to 2 "d*aP@d*1?" would be allowed but not "d*Ad*@1d*?".

Do Not Allow All Digits

If checked, disallows passwords consisting solely of numbers. There are less digits than any other character type making the number of passwords particularly small if all digit passwords are allowed. The only character type that might be considered smaller than numbers is single case vowels but usually all 26 of the same case letter are treated as a group. The default is to not allow all digit passwords.

Maximum Digit Ratio for Full Strength Estimate

The standard strength calculation is a function of how long the password is and the diversity of character types. If the number of digits in a password exceed the ratio specified by maximum digit ratio for full strength estimate, the strength calculation may be adjusted downward. The default is .7. The reasoning is that if any standard numeric format is used, the separators are mostly noise and contribute nothing to the strength of the password. If the password contains any letters, the normal strength calculation is used as no know standard numeric formats contain letters.

If the password digit ratio exceeds the maximum and contains no letters but does contain any of the common numeric separators, "/", "-", "(" or ")", then only the digits are used in calculating the password strength. This pretty much means the password strength will be zero as it takes 13 digits to get a strength of 1. The presence of the these characters, mostly digits and no letters is very suggestive of a standard numeric format such as "(222) 333-4444" for a phone number. This pattern is 14 characters long but all likely variations can be gotten just by changing the 10 digits. Further only about a quarter of the area codes are assigned. Finally, using just local area codes (for the target computer) is likely to be much more productive than using all valid area codes.

Keep in mind, the goal of the cracker is to maximize the use of available CPU cycles by trying potential passwords that have a significantly better chance of being used than any random character sequence that might be generated. So the cracker can likely improve efficiency further by using only assigned local exchanges. Local phone numbers might not produce a single password but they have a much better chance than any comparable length random sequence, regardless of whether you count 10 or 14 characters. Local phone number are much more likely to be used than any possible long distance phone number. Standard phone number formatting, (222) 333-4444 or 222-333-4444, is more likely to be used than non standard, e.g. 222x333*4444.

If the password digit ratio exceeds the maximum and contains neither letters or any of the common numeric separators, the strength is reduced by 1 from what it would otherwise be.

Maximum Vowels Only and Maximum Consonants Only

One common way to form passwords is to drop the consonants or especially the vowels from a word, e.g. psswrd. The maximum vowels only and maximum consonants only checks prevent this with a very low CPU and IO overhead. The default settings are both 2. Limiting the kinds of character variation in a password is not good so it's useful to disallow consonant or vowel heavy passwords even if they are not derived from dictionary words. These should not be decreased as that would discourage the use of a few letters in a password with many digits, symbols or punctuation. Setting these to three should have no adverse consequences. Setting these higher will start to allow modified dictionary words that form a significant part of the password.

Do Not Allow Dates, Phone or Social Security Numbers

By default all of these are checked and prevent passwords that consist entirely or almost entirely of dates, phone numbers or social security numbers. Common formats and obvious variations are checked. Only passwords that consist entirely of these or these plus white space are rejected. Even obvious dates, phone numbers and social security numbers are allowed if the password contains other non white space characters.

Check Words Across Non Letters

When check words across non letters is checked, the default, Password Evaluator will remove all non alpha characters and check the remaining letter only strings to see if they are words or contain words. If this is not checked, only contiguous sequences of letters are checked for words. It is strongly recommended that this be left checked as character substitiution in words cannot be checked if this is unchecked.

Additional Minimum Word Length

Additional Minimum Word Length when checking words across non letters adds the length specified here to the minimum dictionary word length to determine what to count as a word and what not. The intention is to find dictionary words that have been hidden by inserting non letters between two or more letters. It is not to find small words that happen to get created when separate letter sequences that are not words and not contiguous are put together. Increasing the minumum length by 2, the default, greatly reduces the number of created words that may occur while still catching small separate words that have been combined with non letters.

Unchecking check words across non letters will allow passwords like ta2b4l6e. Using all three through nine character words from the 45,000 Linux word list combined with every possible two through 5 character even and odd and even and odd reversed digit sequence to create every possible password up to 11 characters results in only slightly over 6 million passwords. This is a tiny custom dictionary compared to others that have been discussed. Though there are obviously an enormous number of ways to break up words with non letters, the human tendency is to take the easy way. Checking words across non letters is the only practical way to eliminate the simple ways. No password made from a dictionary word variation is good, even if it's not obviously bad, and they should not be allowed.

Maximum Suffix Word Length Ratio

This prevents tacking an "ed" or "ing" suffix onto a short word that normally does not have such a suffix. As long as the ratio of the password, stripped of any additional characters attached to the front, divided by the total length of the password, i.e., with the extra front characters still on, is greater than the ratio set here, an error condition results. It is very tricky to add letters to the front of a short word followed by "ed" or "ing" that does not keep createing new words, when flipping, rotating, shifting, etc are added into the mix. The only way to easily add characters to the front are to use digits, symbols and punctuation, with perhaps a letter in the mix.

Until the less prefix divided by the full length ratio drops below the maximum suffix word length ratio, the suffix length is counted as part of the word length. Normally only the part of the word that is the dictionary word is counted. Without this, a non word could be made by appending "ing" to a short word that does not have such a suffix. Only the short word length would count and thus likely be less than the maximum dictionary word length or ratio. For example, unless the "ing" in "adaming" which is not a dictionary word, is counted as part of the word length, "adaming" will be accepted as a password even though it is one of the most trivial dictionary word variations and one which the cracking tools easily exploit.

With the default setting of .75, at least three characters that do not create a new word must be prepended or mixed into the first part of "adaming" for it to be accepted. Raising this to .8 allows only two additional characters to make an acceptable password. If you care about strong passwords and presumably you would not be using Password Evaluator unless you do, it's best not to raise this. Values entered here less than the maximum word length ratio will have no effect.

Top of Page - Site Map

This page and the information on it my not be published or distributed under the terms of the GeodSoft Publication License. Copyright © 2000 - 2014 George Shaffer. All rights reserved.